Forum Discussion
hpr
Altostratus
AltostratusHowto extract SAML NameID from AuthnRequest
Hi Gurus, I'm about to implement a SP-initiated SAML connection to our BigIP APM, set up as IdP, currently v15.1.2, eagerly awaiting some bug resolutions for the upgrade to 16.1. I want to su...
hprAltostratus
AltostratusThanks Sajid,
The first link does what I want to do - but whith a different starting position.
I don't get the username with as a parameter, but as NameID (or subject, different field with the same content) of the SAML Authnrequest.
However, the idea of setting the username field readonly, is good! :)
So, follow-up question: Any irule-Magicians around who can help me to extract the nameID parameter?
(What I'd need is something like ACCESS::saml authn [value] but with the f5 as IdP, not as SP... ;)
Cheers,
HP.
P.S. For my own reference:
spalandeNacreous
sorry for the lame question,but if F5 is acting as IDP, shouldn't it have access to nameID already? It will generate the SAML assertion after authentication with domain controller. on F5, we would have to set AD query to retrive attributes from AD and set nameID accordingly (e.g. email/UPN etc).
- hpr
Yes and no, SanjayP - you are way further in the process than my question... :)
YES: It should know the NameID, but
NO: Not from the AD/LDAP-Lookup, but from the SAML Authnrequest.
Elaboration: My process is:
- User clicks on SP's login page on "authenticate with SAML" and is prompted to enter e.g. his email address
- SP decides to send an Authrequest to our f5, as this is our IdP. THIS CONTAINS THE NAMEID AND THE SUBCECT ATTRIBUTES. Both contain the user's email address
- WHAT I WANT TO DO NOW on the f5: Extract either of those Attributes, treat them (ie. cut the @domain part) and set session.last.username.
- Show a login window with just a password prompt (as we already know the user name).
- NOW do the LDAP authentication, LDAP lookup, and calculating the SAML Attributes for the SP. (Thats's where you think we are already - if I get your post correctly).
- Issue the SAML assertion for the User for connecting the SP.
- SP does - based on the provided SAML attributes - the authorization for his services and grants access accordingly.
So, my question goes to step 3, not to step 5 :)
Cheers,
HP.
- spalande
thanks. it makes perfect sense now :) . Yes, I was talking about saml_subject in step#5.
There is similar discussion for auto populating user coming from SP.
https://devcentral.f5.com/s/question/0D51T00006lTl96/autofill-username-for-office-365-federation
but it appears authrequest doesn't have any attribute set if it's SP initiated SSO. Are you sure, you can see email address in authrequest?
ACCESS::saml authn [value] will not work, as that is triggered only when F5 generates the payload.
This would need to check first, how emailaddress is being sent (either any part of header, uri or payload) and write iRule to extract that, set custom session parameter with that and use in login page.
OR present F5 login page, with username/password field and take it from there. (which you are already doing it), but I understand it's not user friendly.